Identifying Signs of Runtime-Linking and Building Context for API Hashes in Lockbit Malware - Part 3
Dr Josh Stroschein via YouTube
Overview
Explore the intricacies of Lockbit's runtime linking techniques in this 16-minute video tutorial. Delve into how the malware dynamically builds its import table, a crucial aspect of reverse engineering. Uncover the use of precomputed values instead of strings as an additional layer of obfuscation. Learn to identify signs of runtime linking, understand the purpose of precomputed hashes/checksums, and build context around API importation. Dive deeper into the malware's structure, examining its use of recursion for dynamic API resolution. Conclude with a practical demonstration of stepping through the code in a debugger, enhancing your malware analysis skills.
Syllabus
Finding evidence of runtime linking
Precomputed hashes/checksums and what they are used for
Building context around how APIs will be imported
Another layer deeper
Using recursion to dynamically resolve APIs
Stepping through the code in a debugger
Taught by
Dr Josh Stroschein